CVE-2016-4463

Published: 08 July 2016

Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD.

From the Ubuntu security team

It was discovered that Xerces-C XML Parser fails to successfully parse a DTD that is too deeply nested. An unauthenticated attacker could use this vulnerability to cause a denial of service.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
xerces-c
Launchpad, Ubuntu, Debian
Upstream
Released (3.1.3+debian-2.1, 3.1.1-5.1+deb8u3, 3.1.1-3+deb7u4)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(3.2.0+debian-2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(3.2.0+debian-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.2.0+debian-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.2.0+debian-2)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.1.1-5.1+deb8u3build0.14.04.1)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1747619